Inside Webworm: How China-Linked APT Abuses Discord, Microsoft Graph API, and VPN Proxies to Breach EU Governments

Introduction

A new and sophisticated espionage campaign attributed to the China-linked Webworm advanced persistent threat (APT) group is turning heads across the cybersecurity community. Recent threat intelligence reveals that Webworm is abusing legitimate cloud services — Discord, Microsoft Graph API, and SoftEther VPN — to breach European government networks with alarming stealth.

Unlike traditional APT tradecraft that relies on custom malware and dedicated infrastructure, Webworm is camouflaging its operations within the noise of everyday enterprise cloud traffic. This "living-off-the-cloud" approach makes detection exceptionally difficult and represents a significant evolution in nation-state espionage tactics.

Who Is Webworm?

Webworm is a lesser-known but increasingly active China-linked APT group that has historically targeted government entities, telecommunications providers, and critical infrastructure across Asia and Europe. While not as prolific as APT41 or Hafnium, Webworm distinguishes itself through its creative abuse of legitimate platforms and its focus on stealth over speed.

Previous campaigns attributed to Webworm include:

• Targeting telecom providers in Southeast Asia with custom DLL sideloading techniques
• Compromising energy sector organizations in Eastern Europe
• Long-dwell espionage operations measured in months rather than days

The latest campaign targeting EU governments represents a significant escalation in both ambition and technical sophistication.

Technical Deep Dive: The Three-Phase Attack Chain

Phase 1: Discord as Command-and-Control Infrastructure

Discord's API offers a rich set of features that are invaluable for legitimate developers — and irresistible to threat actors. Webworm leverages Discord's bot infrastructure in several ways:

• Webhook-based data exfiltration: Compromised systems push stolen data to attacker-controlled Discord webhooks, where it appears as innocuous chat messages
• Bot token C2 communication: Attackers embed Discord bot tokens in their implants, allowing bidirectional communication through Discord's servers
• CDN abuse for payload hosting: Malware payloads and second-stage implants are hosted on Discord's CDN (cdn.discordapp.com), blending in with millions of legitimate file uploads

Because Discord traffic is ubiquitous in many enterprise environments — used by developers, gaming communities, and even corporate teams — SSL/TLS inspection often explicitly bypasses Discord domains, giving attackers a convenient blind spot.

Phase 2: Microsoft Graph API for Stealth Persistence

Perhaps the most dangerous component of Webworm's arsenal is its abuse of Microsoft Graph API for persistence. The attack flow works like this:

1. Initial compromise — often via spear-phishing or vulnerable edge devices — gains a foothold
2. The attacker escalates privileges and creates or compromises an OAuth application within the victim's Azure AD/Entra ID tenant
3. The malicious OAuth app requests broad permissions (Mail.Read, Files.ReadWrite.All, Directory.Read.All) under the guise of a legitimate integration
4. Once granted consent — often by an unwitting administrator — the app provides persistent, API-level access that survives password resets, MFA changes, and even account deactivation

What makes this technique particularly dangerous is that the Microsoft Graph API access:

• Appears as legitimate application activity, not user logins
• Bypasses conditional access policies that only evaluate interactive user sessions
• Leaves minimal forensic traces in traditional security logs

Phase 3: SoftEther VPN SOCKS Proxies for Lateral Movement

For lateral movement and network tunneling, Webworm deploys SoftEther VPN — an open-source, multi-protocol VPN solution — configured in SOCKS proxy mode. This allows attackers to:

• Tunnel traffic from compromised networks back to attacker-controlled infrastructure
• Pivot through internal network segments using legitimate VPN protocols
• Evade network-based detection by blending in with legitimate VPN traffic

SoftEther supports SSL-VPN, L2TP/IPsec, and OpenVPN protocols, giving attackers flexibility to adapt to different network environments. In the EU government breaches, Webworm configured SoftEther instances to proxy traffic through HTTPS, making the tunneling activity virtually indistinguishable from normal encrypted web traffic.

Why EU Governments Are Prime Targets

The targeting of European Union government entities aligns with broader Chinese state interests:

• Economic intelligence: Understanding EU trade policy, regulatory frameworks, and economic sanctions
• Geopolitical positioning: Monitoring EU stances on Taiwan, South China Sea, and technology export controls
• Technology transfer: Accessing research, intellectual property, and defense-related information

The Detection Challenge

Traditional security tools struggle to detect Webworm's techniques because:

| Technique | Why It's Hard to Detect | |-----------|------------------------| | Discord C2 | Discord domains are often allow-listed; traffic is encrypted | | Graph API persistence | App-level API access blends with legitimate SaaS integrations | | SoftEther proxies | VPN traffic appears as standard HTTPS |

Six-Point Defense Playbook

1. Audit OAuth Application Permissions

Conduct an immediate review of all OAuth applications registered in your Entra ID/Azure AD tenant. Look for:

• Applications with excessive permissions (Mail.Read, Files.ReadWrite.All)
• Recently created or modified applications
• Applications consented by a single admin account

2. Monitor Microsoft Graph API Activity

Enable and review Microsoft Graph API audit logs. Key indicators:

• Unusual data access patterns (bulk file downloads, mailbox enumeration)
• API calls originating from unexpected IP ranges
• High-frequency API requests outside normal business hours

3. Inspect Discord Traffic Patterns

Don't blind-allow Discord domains. Consider:

• SSL decryption for Discord-related traffic where feasible
• Network traffic analysis for large uploads to cdn.discordapp.com
• DNS query monitoring for unusual Discord webhook or API subdomains

4. Hunt for SoftEther and Unauthorized VPNs

Deploy hunting queries for:

• SoftEther-specific process artifacts and registry keys
• Unusual outbound VPN connections, especially to cloud-hosted IPs
• SOCKS proxy configurations on non-administrative endpoints

5. Adopt Zero Trust Principles

Implement a Zero Trust architecture that:

• Continuously verifies every access request regardless of source
• Limits lateral movement through network micro-segmentation
• Requires just-in-time access for privileged operations

6. Develop Cloud-Focused Incident Response Playbooks

Update IR playbooks to include cloud-specific scenarios:

• OAuth application compromise
• Cloud API abuse detection and containment
• Cross-platform threat hunting (Discord, Microsoft 365, VPN gateways)

Conclusion

The Webworm campaign is a masterclass in modern nation-state tradecraft. By weaponizing the very platforms that enterprises trust and rely on, Webworm renders traditional perimeter defenses and signature-based detection largely ineffective.

Defenders must evolve their detection strategies to match the sophistication of these cloud-native attack chains. The key takeaway: if you're not monitoring your OAuth applications, Graph API audit logs, and cloud service DNS queries, you may already be compromised and simply not know it.

Organizations — particularly those in government and critical infrastructure sectors — should treat this threat intelligence as a catalyst for immediate security posture improvements. The era of cloud-trusted APT operations is here, and Webworm is leading the charge.